diff --git a/README.md b/README.md index 6e93e87..ef194c3 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,13 @@ # rpi23-gen-image ## Introduction -`rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```). +`rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3/4 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```). ## Build dependencies The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user. ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo``` -It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain. +It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel/aarch64) cross-compiler toolchain. The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information. @@ -61,7 +61,7 @@ A comma-separated list of additional packages to be installed by apt after boots #### General system settings: ##### `SET_ARCH`=32 -Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build. +Set Architecture to default 32bit. If you want to compile 64-bit (RPI3/RPI3+/RPI4) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build. ##### `RPI_MODEL`=2 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models: @@ -71,6 +71,7 @@ Specify the target Raspberry Pi hardware model. The script at this time supports - `2` = Raspberry Pi 2 model B - `3` = Raspberry Pi 3 model B - `3P` = Raspberry Pi 3 model B+ +- `4` = Raspberry Pi 4 model B ##### `RELEASE`="buster" Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`. @@ -230,6 +231,7 @@ Reduce the disk space usage by deleting packages and files. See `REDUCE_*` param ##### `ENABLE_UBOOT`=false Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol. +RPI4 needs tbd ##### `UBOOTSRC_DIR`="" Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot. @@ -313,7 +315,11 @@ Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enab #### Kernel compilation: ##### `BUILD_KERNEL`=true -Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used. +Build and install the latest RPi 0/1/2/3/4 Linux kernel. The default RPi 0/1/2/3/ kernel configuration is used most of the time. +ENABLE_NEXMON - Changes Kernel Source to [https://github.com/Re4son/](Kali Linux Kernel) +Precompiled 32bit kernel for RPI0/1/2/3 by [https://github.com/hypriot/](hypriot) +Precompiled 64bit kernel for RPI3/4 by [https://github.com/sakaki-/](sakaki) + ##### `CROSS_COMPILE`="arm-linux-gnueabihf-" This sets the cross-compile environment for the compiler. @@ -390,6 +396,18 @@ Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSC ##### `KERNEL_SECURITY`=false Enables Apparmor, integrity subsystem, auditing. +##### `KERNEL_BTRFS`="false" +enable btrfs kernel support + +##### `KERNEL_POEHAT`="false" +enable Enable RPI POE HAT fan kernel support + +##### `KERNEL_NSPAWN`="false" +Enable per-interface network priority control - for systemd-nspawn + +##### `KERNEL_DHKEY`="true" +Diffie-Hellman operations on retained keys - required for >keyutils-1.6 + --- #### Reduce disk usage: @@ -431,9 +449,12 @@ Set password of the encrypted root partition. This parameter is mandatory if `EN ##### `CRYPTFS_MAPPING`="secure" Set name of dm-crypt managed device-mapper mapping. -##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512" +##### `CRYPTFS_CIPHER`="aes-xts-plain64" Set cipher specification string. `aes-xts*` ciphers are strongly recommended. +##### `CRYPTFS_HASH`=sha512 +Hash function and size to be used + ##### `CRYPTFS_XTSKEYSIZE`=512 Sets key size in bits. The argument has to be a multiple of 8. diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index bc9cd79..6a8187d 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -16,9 +16,15 @@ install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list" # Use specified APT server and release sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list" + +#Fix for changing path for security updates in testing/bullseye if [ "$RELEASE" = "testing" ] ; then sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list" -else +sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list" +fi + +if [ -z "$RELEASE" ] ; then +# Change release in sources list sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list" fi diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index e2f550a..2802792 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -103,7 +103,30 @@ if [ "$BUILD_KERNEL" = true ] ; then #Switch to KERNELSRC_DIR so we can use set_kernel_config cd "${KERNEL_DIR}" || exit - if [ "$KERNEL_ARCH" = arm64 ] ; then + # Enable RPI POE HAT fan + if [ "$KERNEL_POEHAT" = true ]; then + set_kernel_config CONFIG_SENSORS_RPI_POE_FAN m + fi + + # Enable per-interface network priority control + # (for systemd-nspawn) + if [ "$KERNEL_NSPAN" = true ]; then + set_kernel_config CONFIG_CGROUP_NET_PRIO y + fi + + # Compile in BTRFS + if [ "$KERNEL_BTRFS" = true ]; then + set_kernel_config CONFIG_BTRFS_FS y + set_kernel_config CONFIG_BTRFS_FS_POSIX_ACL y + set_kernel_config CONFIG_BTRFS_FS_REF_VERIFY y + fi + + # Diffie-Hellman operations on retained keys + # (required for >keyutils-1.6) + if [ "$KERNEL_DHKEY" = true ]; then + set_kernel_config CONFIG_KEY_DH_OPERATIONS y + fi + if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then # Mask this temporarily during switch to rpi-4.19.y #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index c9e018b..e59063f 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -8,108 +8,112 @@ # Install and setup fstab install_readonly files/mount/fstab "${ETC_DIR}/fstab" -# Add usb/sda disk root partition to fstab -if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then - sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" -fi - -# Add encrypted root partition to fstab and crypttab -if [ "$ENABLE_CRYPTFS" = true ] ; then - # Replace fstab root partition with encrypted partition mapping - sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab" - - # Add encrypted partition to crypttab and fstab - install_readonly files/mount/crypttab "${ETC_DIR}/crypttab" - echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab" - - if [ "$ENABLE_SPLITFS" = true ] ; then - # Add usb/sda1 disk to crypttab - sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab" - fi -fi - -if [ "$ENABLE_USBBOOT" = true ] ; then - sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" - sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" - - # Add usb/sda2 disk to crypttab - sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab" -fi - # Generate initramfs file if [ "$ENABLE_INITRAMFS" = true ] ; then if [ "$ENABLE_CRYPTFS" = true ] ; then + # Include initramfs scripts to auto expand encrypted root partition if [ "$EXPANDROOT" = true ] ; then install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs" install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount" install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" fi - - if [ "$ENABLE_DHCP" = false ] ; then - # Get cdir from NET_ADDRESS e.g. 24 - cdir=$(${NET_ADDRESS} | cut -d '/' -f2) + + # Replace fstab root partition with encrypted partition mapping + sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab" - # Convert cdir ro netmask e.g. 24 to 255.255.255.0 - NET_MASK=$(cdr2mask "$cdir") + # Add encrypted partition to crypttab and fstab + install_readonly files/mount/crypttab "${ETC_DIR}/crypttab" + echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab" - # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf - sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf - - # Regenerate initramfs - chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + if [ "$ENABLE_USBBOOT" = true ] && [ "$ENABLE_SPLITFS" = false ]; then + sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" + # Add usb/sda2 disk to crypttab + sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab" + fi + + # Add encrypted root partition to fstab and crypttab + if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_USBBOOT" = false ]; then + # Add usb/sda1 disk to crypttab + sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab" fi - if [ "$CRYPTFS_DROPBEAR" = true ]; then - if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then - install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys - else - # Create key - chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear - - # Convert dropbear key to openssh key - chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa - - # Get Public Key Part - chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub - - # Delete unwanted lines - sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - - # Trust the new key - cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys - - # Save Keys - convert with putty from rsa/openssh to puttkey - cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa - - # Get unlock script - install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh - - # Enable Dropbear inside initramfs - printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + if [ "$CRYPTFS_DROPBEAR" = true ]; then + if [ "$ENABLE_DHCP" = false ] ; then + # Get cdir from NET_ADDRESS e.g. 24 + cdir=$(printf "%s" "${NET_ADDRESS}" | cut -d '/' -f2) - # Enable Dropbear inside initramfs - sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear - fi - else - # Disable SSHD inside initramfs - printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" - fi + # Convert cdir ro netmask e.g. 24 to 255.255.255.0 + NET_MASK=$(cdr2mask "$cdir") + + # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf + # ip=:::::: + sed -i "\$a\nIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf + else + sed -i "\$a\nIP=::::${HOSTNAME}::dhcp" "${ETC_DIR}"/initramfs-tools/initramfs.conf + fi + + if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then + install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys + else + # Create key + chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear + + # Convert dropbear key to openssh key + chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa + + # Get Public Key Part + chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub + + # Delete unwanted lines + sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + + # Trust the new key + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys + + # Save Keys - convert with putty from rsa/openssh to puttkey + cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa + + # Get unlock script + install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh + + # Enable Dropbear inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + + # Enable Dropbear inside initramfs + sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear + fi + # CRYPTFSDROPBEAR=false + else + # Disable SSHD inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + fi # Add cryptsetup modules to initramfs - printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" + #printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" # Dummy mapping required by mkinitramfs - echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" + echo "0 1 crypt "${CRYPTFS_CIPHER}" ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" # Generate initramfs with encrypted root partition support chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" # Remove dummy mapping chroot_exec cryptsetup close "${CRYPTFS_MAPPING}" + # CRYPTFS=false else + #USB BOOT /boot on sda1 / on sda2 + if [ "$ENABLE_USBBOOT" = true ] ; then + sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" + sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" + fi + + # Add usb/sda disk root partition to fstab + if [ "$ENABLE_SPLITFS" = true ] ; then + sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" + fi # Generate initramfs without encrypted root partition support chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" fi diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index bc7c72c..8265cd9 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -198,6 +198,10 @@ KERNEL_BPF=${KERNEL_BPF:=false} KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand} KERNEL_SECURITY=${KERNEL_SECURITY:=false} KERNEL_NF=${KERNEL_NF:=false} +KERNEL_DHKEY=${KERNEL_DHKEY:=true} +KERNEL_BTRFS=${KERNEL_BTRFS:=false} +KERNEL_NSPAN=${KERNEL_NSPAN:=false} +KERNEL_POEHAT=${KERNEL_POEHAT:=false} # Kernel compilation from source directory settings KERNELSRC_DIR=${KERNELSRC_DIR:=""} @@ -219,7 +223,8 @@ REDUCE_LOCALE=${REDUCE_LOCALE:=true} ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false} CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} -CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} +CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64"} +CRYPTFS_HASH=${CRYPTFS_HASH:="sha512"} CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false} @@ -410,7 +415,7 @@ fi # Add cryptsetup package to enable filesystem encryption if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" - APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" + APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup,cryptsetup-initramfs" # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then @@ -831,7 +836,7 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then echo -n ${CRYPTFS_PASSWORD} > .password # Initialize encrypted partition - echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password + cryptsetup --verbose --debug -q luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -h "${CRYPTFS_HASH}" -s "${CRYPTFS_XTSKEYSIZE}" .password # Open encrypted partition and setup mapping cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"